OMB publishes zero-trust draft strategy
The Office of Management and Budget published a draft strategy Tuesday that will clarify key zero-trust priorities for civilian agencies as they roll out the cybersecurity architecture over the next few years.
Alongside the proposals issued, the Cyber and Infrastructure Security Agency also released a new cloud security technical reference architecture (TRA) and zero-trust maturity model to guide implementation.
Both agencies are seeking public feedback on the draft documents, which they hope will further strengthen the plans.
Top priorities identified in OMB’s new strategy include consolidating agency identity systems, combatting phishing through strong multifactor authentication and treating internal networks as untrusted. It also spells out the need to encrypt traffic and strengthen application security.
The new federal zero-trust strategy is intended to focus government departments on key security outcomes and to set baseline policy and technology requirements. It supports the executive order on cybersecurity issued by President Biden in May, which reignited the push to zero trust.
OMB and CISA publish the documents as part of a long-running campaign to push federal agencies to adopt zero-trust architecture — a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture.
“Moving to zero-trust architectures will by a multi-year journey for federal agencies, and the government will learn and adjust along the way as new practices and technologies emerge,” OMB said.
CISA’s new cloud security technical reference architecture and zero-trust maturity model were developed as part of a multi-agency effort with contributions from the U.S. Digital Service and the Federal Risk and Authorization Management Program (FedRAMP). The technical reference architecture and zero-trust maturity model are intended to provide agencies with guidance on a range of cloud security-related issues.
“With today’s zero trust announcement, we are clearly driving home the message to federal agencies that they should not automatically trust anything inside or outside of their perimeters,” Federal CIO Clare Martorana said in a release. “They must verify anything and everything trying to connect to their systems before granting access. This is an expectation in a modern technology environment and we look forward to this public comment process to make our strategy even stronger.”
Federal CISO Chris DeRusha said: “The federal government’s approach to cybersecurity must rapidly evolve to keep pace with our adversaries, and moving toward zero trust principles is the road we need to travel to get there … While we feel the urgency to begin implementing this plan, we know that input from the broader community of experts will help ensure it is the right plan. We welcome feedback on how we can refine this strategy to best advance federal cybersecurity.”